Physical records

15th February 2019

We are in the run up to the first anniversary of GDPR [European Union-wide General Data Protection Regulation] and the Data Protection Act (2018) (DPA 18) and now is as good a time as any to review where we are and identify any consistent failings or blind spots, writes Mike Gillespie, the MD Advent IM, the security consultancy.

Although the Information Commissioner’s Office (ICO) has changed the way it publicly reports data breach incidents, we know that historically some of the key and repeated failings have always been physical and not digital or ‘cyber’. With this in mind the future of genuine compliance with DPA 18 is going to prove impossible for organisations who do not take the physical location of information as seriously as it takes its digital records.

The historical ICO reports tell us that ‘Data left in an insecure location’ ‘Insecure disposal of paperwork’ and ‘Loss/theft of paperwork’ have proven to be regular causes of data breach and are major contributors to the overall number of breaches (generally well over 20pc), if we add ‘data posted or faxed to incorrect recipient’ this jumps up to 38 per cent to 44pc in some periods. This is a huge amount of breaches and although we have been handling paper records for many more years than we have digital ones, and have had DPA for long enough to have used it to improve this statistic, apparently we haven’t done so. The reason for this is culture.

On a recent visit to a building, I discovered vast quantities of historic and highly sensitive paperwork in unlocked areas, stockpiled in ancient filing cabinets and file rooms, with the space for people minimised because of the elephant in the room no one wanted to acknowledge …. the data. Not only was this a major fail in terms of the confidentiality of this information, there was no way on earth it could be accurate or usable as no one ‘owned’ it, it was not part of any structured filing system and was effectively dumped where it stood and forgotten.

Some of this was highly sensitive information that should never be left in this state. But the problem was whoever had used it, had moved on and rather than deal with what remained, it had simply been abandoned and then ignored. So we have a massive potential data breach, a fire hazard and cost of storing this information simply due to a culture that doesn’t know how to interpret the DPA 18 for their physical records or has allowed problem to become so unwieldy, it is now completely out of control.

We are yet to see a genuinely massive fine from the UK ICO, it feels like a matter of time. As wearing and counter-productive the Fear Uncertainty and Doubt content prior to GDPR was, the truth was in there somewhere although the focus on Consent, has tied everyone up in knots and left the DP baby in the hands of marketers very frequently. Of course there was a great deal more to consider than Consent but you wouldn’t have believed and the attitude that Consent is the only fruit, prevails. But where does that leave the paper mountain I encountered? Nowhere, that’s where. Consent is unhelpful in this case because genuine DPA compliance requires a much bigger scope and a look at culture to not only achieve but to maintain compliance. The paperless office may have been a 90s dream but like so many other business utopias it has not 100 per cent come to pass or we would not be looking at over 40pc of data breaches involving paper files and storage costs for out of date files that should have been securely shredded years ago, would not be sitting around waiting for someone completely inappropriate to find and potentially use or sell them.

… And that is just paper. What about old hardware that is not correctly disposed of at end of life and turns up on eBay for sale with records intact? Although this data set (in ICO stats) is much smaller, the impact of just one of these events could be massive, as digital means allows so many more records to be saved and therefore stolen. Often time, a cheaper disposal capability has been used and of course if there was ever an area where you get what you pay for, security is it.
So what are we to think? Looking at our organisations we need to look at them as a whole, remove the digital goggles and start to look at all information assets and think about retention policies and storage. Only when we acknowledge and commit to doing something about these vulnerable and sensitive assets, will we really be approaching genuine DPA 2018 compliance.

We need to stop thinking that DP is a project with an endpoint. It is something we need to get our arms round now and records management is going to help support successful outcomes for Data Protection. Most of all we need to be honest. There is absolutely no point in pretending this isn’t a problem. If we continue to breach paper records at the rate we have been then the likelihood of a major fine for a body or organisation becomes even greater, the results for the data subjects could be catastrophic and at the end of the day we are ALL data subjects; entitled to and indeed in ownership of our own data and able to hold to account those organisations that treat it disrespectfully or in a non-compliant way. Ask yourself, ‘if this were my data, would I be happy for it to be in this unlocked cabinet in an insecure corridor?’, the resulting answer will give you a very good steer about what needs to change. Yes, it will be a big task, no one ever said it wouldn’t, but given the amount of resource thrown at GDPR, this key area must take its fair share of that resource and no mistake.